Tree Branches for Mozilla 1.7Wednesday April 14th, 2004On Monday, the new Mozilla 1.7 branch was cut from the trunk, in preparation for the final release of Mozilla 1.7 in mid-May. As well as 1.7, the branch will also provide the foundation for Mozilla Firefox 1.0 and several other Mozilla-based applications. Post-1.7, the new branch will replace 1.4 as the stable development baseline. Checkins to the branch require approval from drivers@mozilla.org — the trunk, meanwhile, is now open for 1.8 Alpha development work. Consult tinderbox for the latest tree status. #1 Some info about security fixes would be nice thankby bugs4hj Wednesday April 14th, 2004 10:09 PM Mozilla still has some security issues that should be fixed for 1.7 final. What about a short update? Don';t tell me that The Mozilla Foundation turned into The Microdoft Foundation. "Hide what you can hide for as long as you can" Well if you'de specify what security issues your are talking about the developers can respond to them. Just saying that there are open security issues of bogs isn't sufficient... NO, this is on a NTKB only! Btw, I really hope that this November 2003 document will be replaced with something more up to date. I am a member of the security group: http://www.mozilla.org/projects/security/secgrouplist.html . (Being in the security group means that I can search for and view bugs in Bugzilla marked as security-sensitive and that I'm on a private mailing list.) Can you e-mail me the bug number or post the bug number here? Jesse, this is not about mozilla having security holes, this is also not about a specific bug number, because there are more security related issues in mozilla still left unfixed. You of all should know that! You even filed some of them, a long time ago. I also filed one a long time ago, but none of them have been fixed (I am talking about bugs that go back as far as 2000/2001). Also, I don't think I have to tell you the bug numbers, because you can easily look for them in bugzilla. So my first question is: "Are you saying that there are no security related bugs left unfixed in current builds?" However, there is one specific bug number that I would like to see fixed for mozilla 1.7. This is bug 235457 and that bug was introduced with the patch for bug 198846, but I can't find Christopher Aillon's 'Make 'CAPS not lie bug' but that should be there somewhere... My second question is: "Do you agree that this November 2003 document should be updated?". "Jesse, this is not about mozilla having security holes, this is also not about a specific bug number, because there are more security related issues in mozilla still left unfixed." I don't think you have access to any of the bugs in question. It's hard for me to know whether you're trolling, mistaking "marked as security-sensitive" for "a (major) security hole" after seeing only the bug number, extrapolating, or correct. If you're correct, I want to know what the bug number(s) so I judge its severity, see what Mitch, caillon, dveditz, etc. have said on the bug, and e-mail the security group if I think it's been incorrectly neglected. "You even filed some of them, a long time ago." Of the 55 (?) security bugs I filed, 4 are unfixed. The first is severe and I have already committed to disclose it after Mozilla 1.7 and Firefox 0.9 because I am frustrated that it has not been fixed. The second might be severe, depending on my mood. The third is probably not exploitable. The fourth is a variation on the first. "Also, I don't think I have to tell you the bug numbers, because you can easily look for them in bugzilla." There are 85 open bugs with 'group' 'is equal to' 'security'. Over half of the oldest 14 are bugs bsharma filed with "?" at the end of the summary, and seem to be requests for security developers to investigate. 22 are UNCO. Some of the UNCO were mistakenly filed as security-sensitive and others are unconfirmed security bug reports. I don't feel like reading through all 85 bugs to determine which are actually security bugs (and which of those are fixable). Maybe I will this summer when I'm bored and/or when I'm paid to work on Mozilla. Or maybe I'll trust Christopher Aillon to do the right thing next time he goes through the bugs. "Are you saying that there are no security related bugs left unfixed in current builds?" I am not saying that. "Do you agree that this November 2003 document should be updated?" I assume you're talking about http://www.mozilla.org/projects/security/known-vulnerabilities.html. Sure, it would be nice if it was updated more often, but I'm not volunteering and I'm not convinced that's a better use of dveditz's and caillon's time than making Mozilla secure. "On Monday, the new Mozilla 1.7 branch was cut from the trunk" I had assumed that this had happened a long time ago. After all I'm using Mozilla 1.7b dated 16th March. I assumed that 1.7 branch would be cut and then the 'cut' branch would go beta and final. Where then did my Mozilla 1.7b come from? The trunk? UA strings tend to be ahead of branches and releases. Trunk builds have had "1.7b" in their UA strings for a while. Soon they will have 1.8a instead. Your assumption is incorrect - the beta is released from the trunk, and then the branch is cut for final. The trunk is frozen from just before the beta, so only important/low-risk changes go into the trunk until the branch is cut (and then of course only important/low-risk changes go onto the branch) Anyone know, or is it too early to say? |